ISO 27701, Clause 6.4.2 – During Employment

ISO 27701 Controls and Clauses Explained

Book a demo

close,up,top,view,of,african,american,young,man,typing

Organisations have an obligation towards their personnel, that extends to them informing staff of what’s expected of them within the context of privacy protection and PII – both on a general and topic-specific level.

In their capacity as PII controllers, organisations should provide ongoing training and awareness programmes, and adhering to a robust disciplinary policy that sets clear expectations on both sides, in the event of a data breach.

What’s Covered in ISO 27701 Clause 6.4.2

ISO 27701 6.4.2 contains three main sub-clauses that deal with various aspects of employment-specific privacy protection topics.

Each topic contains guidance from a number of ISO 27002 controls, presented within the context of organisational privacy information management and PII protection:

  • ISO 27701 Clause 6.4.2.1 – Management responsibilities (References ISO 27002 Control 5.4)
  • ISO 27701 Clause 6.4.2.2 – Information security awareness, education and training (References ISO 27002 Control 6.3)
  • ISO 27701 Clause 6.4.2.3 – Disciplinary procedures (References ISO 27002 Control 6.4)

Additional PIMS-specific guidance relating to the processing of PII can be found in clause 6.4.2.1, which is also linked to UK GDPR legislation.

Please note that GDPR comparisons are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.4.2.1 – Management Responsibilities

References ISO 27002 Control 5.4

Management play a key role in maintaining privacy protection standards – both from an administrative perspective, and also in ensuring staff understand what’s expected of them, and are conducting themselves accordingly.

Senior management should ensure that all personnel:

  • Acknowledge their individual responsibilities towards privacy information management, and privacy protection – both in general, and from a topic-specific perspective – before they are allowed to interact with PII and related assets (see ISO 27002 6.3).
  • Are provided with a clear set of guidelines and procedures that govern privacy protection within the context of their role.
  • Are given the resources and appropriate levels of authority to plan projects/changes, and meet the organisation’s general and topic-specific privacy protection policies.
  • Understand the terms and conditions of their employment, as related to privacy protection, and what they mean in practice.
  • Are given the opportunity to develop their understanding of privacy protection both as a concept, and an ongoing operational consideration.
  • Understand how to, and are provided with the means to, anonymously communicate breaches of privacy protection policies across the organisation (a.k.a. “whistleblowing”).

Relevant Controls

  • ISO 27002 6.3

ISO 27701 Clause 6.4.2.2 – Information Security Awareness, Education and Training

References ISO 27002 Control 6.3

Training

Ongoing workplace training ensures that staff are kept up to date with organisational privacy protection policies (general and topic-specific), changes within PII legislation and sector-specific regulatory guidelines.

As a general approach, organisations should implement periodic staff training programs (including during the on-boarding phase) that align specifically with their own general and topic-specific privacy protections policies, and PIMS-related requirements.

Training formats can include:

  • eLearning.
  • One-to-one consultancy.
  • Staff members shadowing one another.
  • Dedicated training seminars conducted by topic-specific or generalised privacy protection specialists.
  • Workplace mentoring.

Staff with a specialised role to play in privacy protection – e.g. ICT maintenance staff – should benefit from specialised training plans that takes into account the integral role they play in safeguarding PII.

Training plans/sessions should conclude with an assessment that provides the organisation with a top-down view of competency levels on an employee-by-employee basis.

Awareness Programs

To complement workplace training, organisations should also roll-out privacy protection awareness programs that provide staff with a range of materials that act as information points on the topic of PII and organisational privacy protection.

Awareness programs may include:

  1. leaflets.
  2. booklets.
  3. office posters.
  4. dedicated websites.
  5. team briefing sessions.

Awareness efforts should be focused on:

  • How management plans to maintain privacy protection adherence across the organisation, and who the main points of contact are for PII-related matters.
  • What the organisation’s compliance requirements are, taking into account laws, regulatory stipulations, contractual obligations and supplier agreements.
  • Emphasising the need for personal accountability when it comes to protecting PII, and what the consequences are for accidental or purposeful procedural breaches.
  • Fundamental ICT security principles, such as password security and incident reporting.
  • How personnel can inform themselves on the finer aspects of privacy protection (further reading, resource lists etc).

Additional PIMS-Specific Guidance

PII should be treated as its own distinct topic within privacy protection training programmes.

Staff need to be made acutely aware of the specific legal, commercial, reputational and disciplinary consequences that result from the misappropriation and/or mishandling of PII.

GDPR Guidance

  • Article 39 – (1)(b)

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.4.2.3 – Disciplinary Procedures

References ISO 27002 Control 6.4

Organisations should develop disciplinary procedures that cater for individuals who have violated general or topic-specific privacy protection policies.

Prior to any disciplinary action being taken, it’s important that the organisation confirms that a policy violation has indeed taken place (see ISO 27002 5.28).

Disciplinary procedures should take into account:

  • The underlying nature of the data breach, and what the various consequences are.
  • The motives of the individual concerned, and whether the breach was intentional or not.
  • How many times the individual has breached privacy protection policy.
  • If the individual has received sufficient training on the relevant aspects of privacy privacy protection.
  • Any individual right to anonymity, throughout the disciplinary process.

Disciplinary actions in the event of a confirmed breach should be used as a deterrent for similar activity, and should take into account the organisation’s obligations as a PII controller and processor, along with all relevant laws, regulatory guidelines and contractual obligations.

Relevant Controls

  • ISO 27002 5.28

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.4.2.1Management Responsibilities5.4 – Management Responsibilities for ISO 27002None
6.4.2.2Information Security Awareness, Education and Training6.3 – Information Security Awareness, Education, and Training for ISO 27002Article (39)
6.4.2.3Disciplinary Procedures6.4 – Disciplinary Process for ISO 27002None

How ISMS.online Helps

We’ve got you covered.

If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to ISO 27701, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.

Here to help when you need it.

Find out more by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now